To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1194
- compare with another revision
- download diff
- download tarball
- view history from revision 1194
- Committer: teddy at recompile
- Date: 2019-12-05 03:38:07 UTC
- Revision ID: teddy@recompile.se-20191205033807-6awt45zpgp194vl1
From: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Add Dutch debconf translation
* debian/po/nl.po: New.
Acked-by: Teddy Hogeborn <teddy@recompile.se>
Add Dutch debconf translation
* debian/po/nl.po: New.
Acked-by: Teddy Hogeborn <teddy@recompile.se>
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
77
77
import itertools
78
78
import collections
79
79
import codecs
80
import unittest
80
81
81
82
import dbus
82
83
import dbus.service
84
import gi
83
85
from gi.repository import GLib
84
86
from dbus.mainloop.glib import DBusGMainLoop
85
87
import ctypes
87
89
import xml.dom.minidom
88
90
import inspect
89
91
92
if sys.version_info.major == 2:
93
__metaclass__ = type
94
str = unicode
95
96
# Show warnings by default
97
if not sys.warnoptions:
98
import warnings
99
warnings.simplefilter("default")
100
90
101
# Try to find the value of SO_BINDTODEVICE:
91
102
try:
92
103
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
112
123
# No value found
113
124
SO_BINDTODEVICE = None
114
125
115
if sys.version_info.major == 2:
116
str = unicode
126
if sys.version_info < (3, 2):
127
configparser.Configparser = configparser.SafeConfigParser
117
128
118
version = "1.7.16"
129
version = "1.8.9"
119
130
stored_state_file = "clients.pickle"
120
131
121
132
logger = logging.getLogger()
133
logging.captureWarnings(True) # Show warnings via the logging system
122
134
syslogger = None
123
135
124
136
try:
179
191
pass
180
192
181
193
182
class PGPEngine(object):
194
class PGPEngine:
183
195
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
196
185
197
def __init__(self):
189
201
output = subprocess.check_output(["gpgconf"])
190
202
for line in output.splitlines():
191
203
name, text, path = line.split(b":")
192
if name == "gpg":
204
if name == b"gpg":
193
205
self.gpg = path
194
206
break
195
207
except OSError as e:
200
212
'--force-mdc',
201
213
'--quiet']
202
214
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
215
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
204
216
self.gnupgargs.append("--no-use-agent")
205
217
206
218
def __enter__(self):
275
287
276
288
277
289
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
290
class avahi:
291
"""This isn't so much a class as it is a module-like namespace."""
281
292
IF_UNSPEC = -1 # avahi-common/address.h
282
293
PROTO_UNSPEC = -1 # avahi-common/address.h
283
294
PROTO_INET = 0 # avahi-common/address.h
287
298
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
299
DBUS_PATH_SERVER = "/"
289
300
290
def string_array_to_txt_array(self, t):
301
@staticmethod
302
def string_array_to_txt_array(t):
291
303
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
304
for s in t), signature="ay")
293
305
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
310
SERVER_RUNNING = 2 # avahi-common/defs.h
299
311
SERVER_COLLISION = 3 # avahi-common/defs.h
300
312
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
313
303
314
304
315
class AvahiError(Exception):
316
327
pass
317
328
318
329
319
class AvahiService(object):
330
class AvahiService:
320
331
"""An Avahi (Zeroconf) service.
321
332
322
333
Attributes:
496
507
class AvahiServiceToSyslog(AvahiService):
497
508
def rename(self, *args, **kwargs):
498
509
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(self, *args,
500
**kwargs)
510
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
501
511
syslogger.setFormatter(logging.Formatter(
502
512
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
503
513
.format(self.name)))
505
515
506
516
507
517
# Pretend that we have a GnuTLS module
508
class GnuTLS(object):
509
"""This isn't so much a class as it is a module-like namespace.
510
It is instantiated once, and simulates having a GnuTLS module."""
518
class gnutls:
519
"""This isn't so much a class as it is a module-like namespace."""
511
520
512
521
library = ctypes.util.find_library("gnutls")
513
522
if library is None:
514
523
library = ctypes.util.find_library("gnutls-deb0")
515
524
_library = ctypes.cdll.LoadLibrary(library)
516
525
del library
517
_need_version = b"3.3.0"
518
519
def __init__(self):
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
526
526
527
# Unless otherwise indicated, the constants and types below are
527
528
# all from the gnutls/gnutls.h C header file.
531
532
E_INTERRUPTED = -52
532
533
E_AGAIN = -28
533
534
CRT_OPENPGP = 2
535
CRT_RAWPK = 3
534
536
CLIENT = 2
535
537
SHUT_RDWR = 0
536
538
CRD_CERTIFICATE = 1
537
539
E_NO_CERTIFICATE_FOUND = -49
540
X509_FMT_DER = 0
541
NO_TICKETS = 1<<10
542
ENABLE_RAWPK = 1<<18
543
CTYPE_PEERS = 3
544
KEYID_USE_SHA256 = 1 # gnutls/x509.h
538
545
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
539
546
540
547
# Types
563
570
564
571
# Exceptions
565
572
class Error(Exception):
566
# We need to use the class name "GnuTLS" here, since this
567
# exception might be raised from within GnuTLS.__init__,
568
# which is called before the assignment to the "gnutls"
569
# global variable has happened.
570
573
def __init__(self, message=None, code=None, args=()):
571
574
# Default usage is by a message string, but if a return
572
575
# code is passed, convert it to a string with
573
576
# gnutls.strerror()
574
577
self.code = code
575
578
if message is None and code is not None:
576
message = GnuTLS.strerror(code)
577
return super(GnuTLS.Error, self).__init__(
579
message = gnutls.strerror(code)
580
return super(gnutls.Error, self).__init__(
578
581
message, *args)
579
582
580
583
class CertificateSecurityError(Error):
581
584
pass
582
585
583
586
# Classes
584
class Credentials(object):
587
class Credentials:
585
588
def __init__(self):
586
589
self._c_object = gnutls.certificate_credentials_t()
587
590
gnutls.certificate_allocate_credentials(
591
594
def __del__(self):
592
595
gnutls.certificate_free_credentials(self._c_object)
593
596
594
class ClientSession(object):
597
class ClientSession:
595
598
def __init__(self, socket, credentials=None):
596
599
self._c_object = gnutls.session_t()
597
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
600
gnutls_flags = gnutls.CLIENT
601
if gnutls.check_version(b"3.5.6"):
602
gnutls_flags |= gnutls.NO_TICKETS
603
if gnutls.has_rawpk:
604
gnutls_flags |= gnutls.ENABLE_RAWPK
605
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
606
del gnutls_flags
598
607
gnutls.set_default_priority(self._c_object)
599
608
gnutls.transport_set_ptr(self._c_object, socket.fileno())
600
609
gnutls.handshake_set_private_extensions(self._c_object,
732
741
check_version.argtypes = [ctypes.c_char_p]
733
742
check_version.restype = ctypes.c_char_p
734
743
735
# All the function declarations below are from gnutls/openpgp.h
736
737
openpgp_crt_init = _library.gnutls_openpgp_crt_init
738
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
739
openpgp_crt_init.restype = _error_code
740
741
openpgp_crt_import = _library.gnutls_openpgp_crt_import
742
openpgp_crt_import.argtypes = [openpgp_crt_t,
743
ctypes.POINTER(datum_t),
744
openpgp_crt_fmt_t]
745
openpgp_crt_import.restype = _error_code
746
747
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
748
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
749
ctypes.POINTER(ctypes.c_uint)]
750
openpgp_crt_verify_self.restype = _error_code
751
752
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
753
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
754
openpgp_crt_deinit.restype = None
755
756
openpgp_crt_get_fingerprint = (
757
_library.gnutls_openpgp_crt_get_fingerprint)
758
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
759
ctypes.c_void_p,
760
ctypes.POINTER(
761
ctypes.c_size_t)]
762
openpgp_crt_get_fingerprint.restype = _error_code
744
_need_version = b"3.3.0"
745
if check_version(_need_version) is None:
746
raise self.Error("Needs GnuTLS {} or later"
747
.format(_need_version))
748
749
_tls_rawpk_version = b"3.6.6"
750
has_rawpk = bool(check_version(_tls_rawpk_version))
751
752
if has_rawpk:
753
# Types
754
class pubkey_st(ctypes.Structure):
755
_fields = []
756
pubkey_t = ctypes.POINTER(pubkey_st)
757
758
x509_crt_fmt_t = ctypes.c_int
759
760
# All the function declarations below are from gnutls/abstract.h
761
pubkey_init = _library.gnutls_pubkey_init
762
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
763
pubkey_init.restype = _error_code
764
765
pubkey_import = _library.gnutls_pubkey_import
766
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
767
x509_crt_fmt_t]
768
pubkey_import.restype = _error_code
769
770
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
771
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
772
ctypes.POINTER(ctypes.c_ubyte),
773
ctypes.POINTER(ctypes.c_size_t)]
774
pubkey_get_key_id.restype = _error_code
775
776
pubkey_deinit = _library.gnutls_pubkey_deinit
777
pubkey_deinit.argtypes = [pubkey_t]
778
pubkey_deinit.restype = None
779
else:
780
# All the function declarations below are from gnutls/openpgp.h
781
782
openpgp_crt_init = _library.gnutls_openpgp_crt_init
783
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
784
openpgp_crt_init.restype = _error_code
785
786
openpgp_crt_import = _library.gnutls_openpgp_crt_import
787
openpgp_crt_import.argtypes = [openpgp_crt_t,
788
ctypes.POINTER(datum_t),
789
openpgp_crt_fmt_t]
790
openpgp_crt_import.restype = _error_code
791
792
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
793
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
794
ctypes.POINTER(ctypes.c_uint)]
795
openpgp_crt_verify_self.restype = _error_code
796
797
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
798
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
799
openpgp_crt_deinit.restype = None
800
801
openpgp_crt_get_fingerprint = (
802
_library.gnutls_openpgp_crt_get_fingerprint)
803
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
804
ctypes.c_void_p,
805
ctypes.POINTER(
806
ctypes.c_size_t)]
807
openpgp_crt_get_fingerprint.restype = _error_code
808
809
if check_version(b"3.6.4"):
810
certificate_type_get2 = _library.gnutls_certificate_type_get2
811
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
812
certificate_type_get2.restype = _error_code
763
813
764
814
# Remove non-public functions
765
815
del _error_code, _retry_on_error
766
# Create the global "gnutls" object, simulating a module
767
gnutls = GnuTLS()
768
816
769
817
770
818
def call_pipe(connection, # : multiprocessing.Connection
778
826
connection.close()
779
827
780
828
781
class Client(object):
829
class Client:
782
830
"""A representation of a client host served by this server.
783
831
784
832
Attributes:
785
833
approved: bool(); 'None' if not yet approved/disapproved
786
834
approval_delay: datetime.timedelta(); Time to wait for approval
787
835
approval_duration: datetime.timedelta(); Duration of one approval
788
checker: subprocess.Popen(); a running checker process used
789
to see if the client lives.
790
'None' if no process is running.
836
checker: multiprocessing.Process(); a running checker process used
837
to see if the client lives. 'None' if no process is
838
running.
791
839
checker_callback_tag: a GLib event source tag, or None
792
840
checker_command: string; External command which is run to check
793
841
if client lives. %() expansions are done at
801
849
disable_initiator_tag: a GLib event source tag, or None
802
850
enabled: bool()
803
851
fingerprint: string (40 or 32 hexadecimal digits); used to
804
uniquely identify the client
852
uniquely identify an OpenPGP client
853
key_id: string (64 hexadecimal digits); used to uniquely identify
854
a client using raw public keys
805
855
host: string; available for use by the checker command
806
856
interval: datetime.timedelta(); How often to start a new checker
807
857
last_approval_request: datetime.datetime(); (UTC) or None
825
875
"""
826
876
827
877
runtime_expansions = ("approval_delay", "approval_duration",
828
"created", "enabled", "expires",
878
"created", "enabled", "expires", "key_id",
829
879
"fingerprint", "host", "interval",
830
880
"last_approval_request", "last_checked_ok",
831
881
"last_enabled", "name", "timeout")
861
911
client["enabled"] = config.getboolean(client_name,
862
912
"enabled")
863
913
864
# Uppercase and remove spaces from fingerprint for later
865
# comparison purposes with return value from the
866
# fingerprint() function
914
# Uppercase and remove spaces from key_id and fingerprint
915
# for later comparison purposes with return value from the
916
# key_id() and fingerprint() functions
917
client["key_id"] = (section.get("key_id", "").upper()
918
.replace(" ", ""))
867
919
client["fingerprint"] = (section["fingerprint"].upper()
868
920
.replace(" ", ""))
869
921
if "secret" in section:
913
965
self.expires = None
914
966
915
967
logger.debug("Creating client %r", self.name)
968
logger.debug(" Key ID: %s", self.key_id)
916
969
logger.debug(" Fingerprint: %s", self.fingerprint)
917
970
self.created = settings.get("created",
918
971
datetime.datetime.utcnow())
995
1048
def checker_callback(self, source, condition, connection,
996
1049
command):
997
1050
"""The checker has completed, so take appropriate actions."""
998
self.checker_callback_tag = None
999
self.checker = None
1000
1051
# Read return code from connection (see call_pipe)
1001
1052
returncode = connection.recv()
1002
1053
connection.close()
1054
if self.checker is not None:
1055
self.checker.join()
1056
self.checker_callback_tag = None
1057
self.checker = None
1003
1058
1004
1059
if returncode >= 0:
1005
1060
self.last_checker_status = returncode
1094
1149
kwargs=popen_args)
1095
1150
self.checker.start()
1096
1151
self.checker_callback_tag = GLib.io_add_watch(
1097
pipe[0].fileno(), GLib.IO_IN,
1152
GLib.IOChannel.unix_new(pipe[0].fileno()),
1153
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1098
1154
self.checker_callback, pipe[0], command)
1099
1155
# Re-run this periodically if run by GLib.timeout_add
1100
1156
return True
1355
1411
raise ValueError("Byte arrays not supported for non-"
1356
1412
"'ay' signature {!r}"
1357
1413
.format(prop._dbus_signature))
1358
value = dbus.ByteArray(b''.join(chr(byte)
1359
for byte in value))
1414
value = dbus.ByteArray(bytes(value))
1360
1415
prop(value)
1361
1416
1362
1417
@dbus.service.method(dbus.PROPERTIES_IFACE,
2000
2055
def Name_dbus_property(self):
2001
2056
return dbus.String(self.name)
2002
2057
2058
# KeyID - property
2059
@dbus_annotations(
2060
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2061
@dbus_service_property(_interface, signature="s", access="read")
2062
def KeyID_dbus_property(self):
2063
return dbus.String(self.key_id)
2064
2003
2065
# Fingerprint - property
2004
2066
@dbus_annotations(
2005
2067
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2160
2222
del _interface
2161
2223
2162
2224
2163
class ProxyClient(object):
2164
def __init__(self, child_pipe, fpr, address):
2225
class ProxyClient:
2226
def __init__(self, child_pipe, key_id, fpr, address):
2165
2227
self._pipe = child_pipe
2166
self._pipe.send(('init', fpr, address))
2228
self._pipe.send(('init', key_id, fpr, address))
2167
2229
if not self._pipe.recv():
2168
raise KeyError(fpr)
2230
raise KeyError(key_id or fpr)
2169
2231
2170
2232
def __getattribute__(self, name):
2171
2233
if name == '_pipe':
2238
2300
2239
2301
approval_required = False
2240
2302
try:
2241
try:
2242
fpr = self.fingerprint(
2243
self.peer_certificate(session))
2244
except (TypeError, gnutls.Error) as error:
2245
logger.warning("Bad certificate: %s", error)
2246
return
2247
logger.debug("Fingerprint: %s", fpr)
2248
2249
try:
2250
client = ProxyClient(child_pipe, fpr,
2303
if gnutls.has_rawpk:
2304
fpr = b""
2305
try:
2306
key_id = self.key_id(
2307
self.peer_certificate(session))
2308
except (TypeError, gnutls.Error) as error:
2309
logger.warning("Bad certificate: %s", error)
2310
return
2311
logger.debug("Key ID: %s", key_id)
2312
2313
else:
2314
key_id = b""
2315
try:
2316
fpr = self.fingerprint(
2317
self.peer_certificate(session))
2318
except (TypeError, gnutls.Error) as error:
2319
logger.warning("Bad certificate: %s", error)
2320
return
2321
logger.debug("Fingerprint: %s", fpr)
2322
2323
try:
2324
client = ProxyClient(child_pipe, key_id, fpr,
2251
2325
self.client_address)
2252
2326
except KeyError:
2253
2327
return
2330
2404
2331
2405
@staticmethod
2332
2406
def peer_certificate(session):
2333
"Return the peer's OpenPGP certificate as a bytestring"
2334
# If not an OpenPGP certificate...
2335
if (gnutls.certificate_type_get(session._c_object)
2336
!= gnutls.CRT_OPENPGP):
2407
"Return the peer's certificate as a bytestring"
2408
try:
2409
cert_type = gnutls.certificate_type_get2(session._c_object,
2410
gnutls.CTYPE_PEERS)
2411
except AttributeError:
2412
cert_type = gnutls.certificate_type_get(session._c_object)
2413
if gnutls.has_rawpk:
2414
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2415
else:
2416
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2417
# If not a valid certificate type...
2418
if cert_type not in valid_cert_types:
2419
logger.info("Cert type %r not in %r", cert_type,
2420
valid_cert_types)
2337
2421
# ...return invalid data
2338
2422
return b""
2339
2423
list_size = ctypes.c_uint(1)
2347
2431
return ctypes.string_at(cert.data, cert.size)
2348
2432
2349
2433
@staticmethod
2434
def key_id(certificate):
2435
"Convert a certificate bytestring to a hexdigit key ID"
2436
# New GnuTLS "datum" with the public key
2437
datum = gnutls.datum_t(
2438
ctypes.cast(ctypes.c_char_p(certificate),
2439
ctypes.POINTER(ctypes.c_ubyte)),
2440
ctypes.c_uint(len(certificate)))
2441
# XXX all these need to be created in the gnutls "module"
2442
# New empty GnuTLS certificate
2443
pubkey = gnutls.pubkey_t()
2444
gnutls.pubkey_init(ctypes.byref(pubkey))
2445
# Import the raw public key into the certificate
2446
gnutls.pubkey_import(pubkey,
2447
ctypes.byref(datum),
2448
gnutls.X509_FMT_DER)
2449
# New buffer for the key ID
2450
buf = ctypes.create_string_buffer(32)
2451
buf_len = ctypes.c_size_t(len(buf))
2452
# Get the key ID from the raw public key into the buffer
2453
gnutls.pubkey_get_key_id(pubkey,
2454
gnutls.KEYID_USE_SHA256,
2455
ctypes.cast(ctypes.byref(buf),
2456
ctypes.POINTER(ctypes.c_ubyte)),
2457
ctypes.byref(buf_len))
2458
# Deinit the certificate
2459
gnutls.pubkey_deinit(pubkey)
2460
2461
# Convert the buffer to a Python bytestring
2462
key_id = ctypes.string_at(buf, buf_len.value)
2463
# Convert the bytestring to hexadecimal notation
2464
hex_key_id = binascii.hexlify(key_id).upper()
2465
return hex_key_id
2466
2467
@staticmethod
2350
2468
def fingerprint(openpgp):
2351
2469
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2352
2470
# New GnuTLS "datum" with the OpenPGP public key
2366
2484
ctypes.byref(crtverify))
2367
2485
if crtverify.value != 0:
2368
2486
gnutls.openpgp_crt_deinit(crt)
2369
raise gnutls.CertificateSecurityError("Verify failed")
2487
raise gnutls.CertificateSecurityError(code
2488
=crtverify.value)
2370
2489
# New buffer for the fingerprint
2371
2490
buf = ctypes.create_string_buffer(20)
2372
2491
buf_len = ctypes.c_size_t()
2382
2501
return hex_fpr
2383
2502
2384
2503
2385
class MultiprocessingMixIn(object):
2504
class MultiprocessingMixIn:
2386
2505
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2387
2506
2388
2507
def sub_process_main(self, request, address):
2400
2519
return proc
2401
2520
2402
2521
2403
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2522
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2404
2523
""" adds a pipe to the MixIn """
2405
2524
2406
2525
def process_request(self, request, client_address):
2421
2540
2422
2541
2423
2542
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2424
socketserver.TCPServer, object):
2543
socketserver.TCPServer):
2425
2544
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2426
2545
2427
2546
Attributes:
2500
2619
raise
2501
2620
# Only bind(2) the socket if we really need to.
2502
2621
if self.server_address[0] or self.server_address[1]:
2622
if self.server_address[1]:
2623
self.allow_reuse_address = True
2503
2624
if not self.server_address[0]:
2504
2625
if self.address_family == socket.AF_INET6:
2505
2626
any_address = "::" # in6addr_any
2558
2679
def add_pipe(self, parent_pipe, proc):
2559
2680
# Call "handle_ipc" for both data and EOF events
2560
2681
GLib.io_add_watch(
2561
parent_pipe.fileno(),
2562
GLib.IO_IN | GLib.IO_HUP,
2682
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2683
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2563
2684
functools.partial(self.handle_ipc,
2564
2685
parent_pipe=parent_pipe,
2565
2686
proc=proc))
2579
2700
command = request[0]
2580
2701
2581
2702
if command == 'init':
2582
fpr = request[1].decode("ascii")
2583
address = request[2]
2703
key_id = request[1].decode("ascii")
2704
fpr = request[2].decode("ascii")
2705
address = request[3]
2584
2706
2585
2707
for c in self.clients.values():
2586
if c.fingerprint == fpr:
2708
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2709
continue
2710
if key_id and c.key_id == key_id:
2711
client = c
2712
break
2713
if fpr and c.fingerprint == fpr:
2587
2714
client = c
2588
2715
break
2589
2716
else:
2590
logger.info("Client not found for fingerprint: %s, ad"
2591
"dress: %s", fpr, address)
2717
logger.info("Client not found for key ID: %s, address"
2718
": %s", key_id or fpr, address)
2592
2719
if self.use_dbus:
2593
2720
# Emit D-Bus signal
2594
mandos_dbus_service.ClientNotFound(fpr,
2721
mandos_dbus_service.ClientNotFound(key_id or fpr,
2595
2722
address[0])
2596
2723
parent_pipe.send(False)
2597
2724
return False
2598
2725
2599
2726
GLib.io_add_watch(
2600
parent_pipe.fileno(),
2601
GLib.IO_IN | GLib.IO_HUP,
2727
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2728
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2602
2729
functools.partial(self.handle_ipc,
2603
2730
parent_pipe=parent_pipe,
2604
2731
proc=proc,
2636
2763
def rfc3339_duration_to_delta(duration):
2637
2764
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2638
2765
2639
>>> rfc3339_duration_to_delta("P7D")
2640
datetime.timedelta(7)
2641
>>> rfc3339_duration_to_delta("PT60S")
2642
datetime.timedelta(0, 60)
2643
>>> rfc3339_duration_to_delta("PT60M")
2644
datetime.timedelta(0, 3600)
2645
>>> rfc3339_duration_to_delta("PT24H")
2646
datetime.timedelta(1)
2647
>>> rfc3339_duration_to_delta("P1W")
2648
datetime.timedelta(7)
2649
>>> rfc3339_duration_to_delta("PT5M30S")
2650
datetime.timedelta(0, 330)
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2652
datetime.timedelta(1, 200)
2766
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2767
True
2768
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2769
True
2770
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2771
True
2772
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2773
True
2774
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2775
True
2776
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2777
True
2778
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2779
True
2653
2780
"""
2654
2781
2655
2782
# Parsing an RFC 3339 duration with regular expressions is not
2735
2862
def string_to_delta(interval):
2736
2863
"""Parse a string and return a datetime.timedelta
2737
2864
2738
>>> string_to_delta('7d')
2739
datetime.timedelta(7)
2740
>>> string_to_delta('60s')
2741
datetime.timedelta(0, 60)
2742
>>> string_to_delta('60m')
2743
datetime.timedelta(0, 3600)
2744
>>> string_to_delta('24h')
2745
datetime.timedelta(1)
2746
>>> string_to_delta('1w')
2747
datetime.timedelta(7)
2748
>>> string_to_delta('5m 30s')
2749
datetime.timedelta(0, 330)
2865
>>> string_to_delta('7d') == datetime.timedelta(7)
2866
True
2867
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2868
True
2869
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2870
True
2871
>>> string_to_delta('24h') == datetime.timedelta(1)
2872
True
2873
>>> string_to_delta('1w') == datetime.timedelta(7)
2874
True
2875
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2876
True
2750
2877
"""
2751
2878
2752
2879
try:
2854
2981
2855
2982
options = parser.parse_args()
2856
2983
2857
if options.check:
2858
import doctest
2859
fail_count, test_count = doctest.testmod()
2860
sys.exit(os.EX_OK if fail_count == 0 else 1)
2861
2862
2984
# Default values for config file for server-global settings
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2863
2991
server_defaults = {"interface": "",
2864
2992
"address": "",
2865
2993
"port": "",
2866
2994
"debug": "False",
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2995
"priority": priority,
2870
2996
"servicename": "Mandos",
2871
2997
"use_dbus": "True",
2872
2998
"use_ipv6": "True",
2877
3003
"foreground": "False",
2878
3004
"zeroconf": "True",
2879
3005
}
3006
del priority
2880
3007
2881
3008
# Parse config file for server-global settings
2882
server_config = configparser.SafeConfigParser(server_defaults)
3009
server_config = configparser.ConfigParser(server_defaults)
2883
3010
del server_defaults
2884
3011
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2885
# Convert the SafeConfigParser object to a dict
3012
# Convert the ConfigParser object to a dict
2886
3013
server_settings = server_config.defaults()
2887
3014
# Use the appropriate methods on the non-string config options
2888
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2960
3087
server_settings["servicename"])))
2961
3088
2962
3089
# Parse config file with clients
2963
client_config = configparser.SafeConfigParser(Client
2964
.client_defaults)
3090
client_config = configparser.ConfigParser(Client.client_defaults)
2965
3091
client_config.read(os.path.join(server_settings["configdir"],
2966
3092
"clients.conf"))
2967
3093
3038
3164
# Close all input and output, do double fork, etc.
3039
3165
daemon()
3040
3166
3041
# multiprocessing will use threads, so before we use GLib we need
3042
# to inform GLib that threads will be used.
3043
GLib.threads_init()
3167
if gi.version_info < (3, 10, 2):
3168
# multiprocessing will use threads, so before we use GLib we
3169
# need to inform GLib that threads will be used.
3170
GLib.threads_init()
3044
3171
3045
3172
global main_loop
3046
3173
# From the Avahi example code
3122
3249
if isinstance(s, bytes)
3123
3250
else s) for s in
3124
3251
value["client_structure"]]
3125
# .name & .host
3126
for k in ("name", "host"):
3252
# .name, .host, and .checker_command
3253
for k in ("name", "host", "checker_command"):
3127
3254
if isinstance(value[k], bytes):
3128
3255
value[k] = value[k].decode("utf-8")
3256
if "key_id" not in value:
3257
value["key_id"] = ""
3258
elif "fingerprint" not in value:
3259
value["fingerprint"] = ""
3129
3260
# old_client_settings
3130
3261
# .keys()
3131
3262
old_client_settings = {
3135
3266
for key, value in
3136
3267
bytes_old_client_settings.items()}
3137
3268
del bytes_old_client_settings
3138
# .host
3269
# .host and .checker_command
3139
3270
for value in old_client_settings.values():
3140
if isinstance(value["host"], bytes):
3141
value["host"] = (value["host"]
3142
.decode("utf-8"))
3271
for attribute in ("host", "checker_command"):
3272
if isinstance(value[attribute], bytes):
3273
value[attribute] = (value[attribute]
3274
.decode("utf-8"))
3143
3275
os.remove(stored_state_path)
3144
3276
except IOError as e:
3145
3277
if e.errno == errno.ENOENT:
3268
3400
pass
3269
3401
3270
3402
@dbus.service.signal(_interface, signature="ss")
3271
def ClientNotFound(self, fingerprint, address):
3403
def ClientNotFound(self, key_id, address):
3272
3404
"D-Bus signal"
3273
3405
pass
3274
3406
3470
3602
sys.exit(1)
3471
3603
# End of Avahi example code
3472
3604
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
lambda *args, **kwargs:
3475
(tcp_server.handle_request
3476
(*args[2:], **kwargs) or True))
3605
GLib.io_add_watch(
3606
GLib.IOChannel.unix_new(tcp_server.fileno()),
3607
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3608
lambda *args, **kwargs: (tcp_server.handle_request
3609
(*args[2:], **kwargs) or True))
3477
3610
3478
3611
logger.debug("Starting main loop")
3479
3612
main_loop.run()
3489
3622
# Must run before the D-Bus bus name gets deregistered
3490
3623
cleanup()
3491
3624
3625
3626
def should_only_run_tests():
3627
parser = argparse.ArgumentParser(add_help=False)
3628
parser.add_argument("--check", action='store_true')
3629
args, unknown_args = parser.parse_known_args()
3630
run_tests = args.check
3631
if run_tests:
3632
# Remove --check argument from sys.argv
3633
sys.argv[1:] = unknown_args
3634
return run_tests
3635
3636
# Add all tests from doctest strings
3637
def load_tests(loader, tests, none):
3638
import doctest
3639
tests.addTests(doctest.DocTestSuite())
3640
return tests
3492
3641
3493
3642
if __name__ == '__main__':
3494
main()
3643
try:
3644
if should_only_run_tests():
3645
# Call using ./mandos --check [--verbose]
3646
unittest.main()
3647
else:
3648
main()
3649
finally:
3650
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0